{
	"id": "2374141a-0333-4135-93c4-aa39e9625763",
	"created_at": "2026-04-06T02:11:21.491755Z",
	"updated_at": "2026-04-10T13:11:58.91252Z",
	"deleted_at": null,
	"sha1_hash": "16da789d6a5437af128d180872ed3873ce39363e",
	"title": "Crysis Threat Actor Installing Venus Ransomware Through RDP",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1268937,
	"plain_text": "Crysis Threat Actor Installing Venus Ransomware Through RDP\r\nBy ATCP\r\nPublished: 2023-06-22 · Archived: 2026-04-06 01:38:40 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently discovered that the Crysis ransomware’s threat\r\nactor is also using the Venus ransomware in the attacks. Crysis and Venus are both major ransomware types\r\nknown to target externally exposed remote desktop services. [1] Actual logs from the AhnLab Smart Defense\r\n(ASD) infrastructure also show attacks being launched through RDP.\r\nAside from Crysis and Venus, the threat actor also installed a variety of other tools such as Port Scanner and\r\nMimikatz. If the infected systems are turned out to be a company’s internal network, the network can also become\r\na target by such tools, and there are actual cases.\r\n1. Installing Ransomware Using RDP\r\nThreat actors who use RDP (Remote Desktop Protocol) as an attack vector generally scan for systems where RDP\r\nis active and allows external access. Systems found during this scanning process are subject to brute force or\r\ndictionary attacks. If a user has inappropriate account credentials, then threat actors can easily take those very\r\ncredentials.\r\nThreat actors can use the obtained account credentials to log in to the system through RDP, allowing them to gain\r\ncontrol over the system in question and perform a variety of malicious actions. The threat actor who installed the\r\nVenus ransomware likely used RDP as the attack vector. This assumption is proved by the multiple malware types\r\nbeing generated by the Windows Explorer process (explorer.exe) as shown below.\r\nIn attacks identified in the past, the threat actor first attempted to encrypt the infected system using the Crysis\r\nransomware, and after failing to do so, attempted encryption again using the Venus ransomware.\r\nhttps://asec.ahnlab.com/en/54937/\r\nPage 1 of 7\n\nAdditionally, the threat actor used the same Crysis ransomware to continuously launch attacks against other\r\nsystems. One of the identified attacks employed the same tactic of targeting an externally exposed RDP service.\r\nAfter the attack had succeeded, the attacker accessed other systems through RDP and infected them with Crysis.\r\n2. Malware Used in the Attack Process\r\nThe threat actor installs various malware types in the infected system. Installed tools are scanners and account\r\ncredential theft tools, most of them being created by NirSoft. It can be assumed through this that the network of\r\nthe infected system can also be targeted.\r\nFile Name (Path Name) Types\r\n1.exe_ Venus Ransomware\r\nbild.exe_ Crysis Ransomware\r\n\\mimik\\x32\\mimik.exe\r\n\\mimik\\x32\\mimilib.dll\r\n\\mimik\\x64\\mimik.exe\r\n\\mimik\\x64\\mimilib.dll\r\nMimikatz\r\nwebbrowserpassview.exe Web Browser Password Viewer – NirSoft\r\nmailpv.exe Mail PassView – NirSoft\r\nvncpassview.exe VNCPassView – NirSoft\r\nwirelesskeyview64.exe Wireless Key View – NirSoft\r\nbulletspassview64.exe BulletsPassView – NirSoft\r\nrouterpassview.exe RouterPassView – NirSoft\r\nmspass.exe MessenPass (IM Password Recovery) – NirSoft\r\nrdpv.exe Remote Desktop PassView – NirSoft\r\nnetpass64.exe Network Password Recovery – NirSoft\r\nhttps://asec.ahnlab.com/en/54937/\r\nPage 2 of 7\n\nns64.exe Network Share Scanner\r\nTable 1. Tools used in attacks\r\nAfter the threat actor takes over the system via RDP, the above tools are used to scan the network to check if the\r\ninfected system is part of a specific network. If the system is part of a specific network, then the ransomware can\r\nperform internal reconnaissance and collect account credentials in order to also encrypt the other systems on the\r\nnetwork. Mimikatz can be used in this process. Using the collected account information, lateral movement can\r\noccur to other systems within the network. In an actual attack case involving Crysis, the threat actor used RDP for\r\nlateral movement into other systems within the network.\r\nThe threat actor ultimately executed Crysis to encrypt the system, and after recognizing failure after a few hours,\r\nretried the attack using Venus. If the Crysis ransomware ran correctly, the user would have seen the following\r\nransom note.\r\nThreat actor’s email address: datacentreback@msgsafe[.]io, moriartydata@onionmail[.]org\r\n3. Venus Ransomware\r\nAmong the files copied to the Download folder by the threat actor, Venus ransomware has the name bild.exe_.\r\nOverview Description\r\nExtension .venus\r\nPaths excluded from encryption “Tor Browser”, “Windows”, “dropbox”, “iexplorer”\r\nPaths excluded from encryption “venus”, “README.txt”, “README.html”\r\nRansom note README.html\r\nProcesses for Termination Refer to the information further below\r\nhttps://asec.ahnlab.com/en/54937/\r\nPage 3 of 7\n\nOthers Deletes volume shadow copies\r\nTable 2. Venus Ransomware overview\r\nVenus first terminates various programs such as Office, email clients, and databases to encrypt more files.\r\nList of Target Processes for Termination\r\nagntsvc.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, dbeng50.exe, dbsnmp.exe, encsvc.exe,\r\nexcel.exe, firefoxconfig.exe, infopath.exe, isqlplussvc.exe, msaccess.exe, msftesql.exe,\r\nmspub.exe, mydesktopqos.exe, mydesktopservice.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, ocautoupds.exe, ocomm.exe, ocssd.exe, onenote.exe, oracle.exe, outlook.exe,\r\npowerpnt.exe, sqbcoreservice.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlservr.exe,\r\nsqlwriter.exe, synctime.exe, tbirdconfig.exe, thebat64.exe, thunderbird.exe, winword.exe,\r\nwordpad.exe, xfssvccon.exe\r\nTable 3. List of target processes for termination\r\nAn icon for the .venus file extension is registered before the encryption process begins. Because the encrypted\r\nfiles’ file extensions are changed to .venus, users see the files with the following icon.\r\nThe command used by Venus to delete volume shadow copies are as follows.\r\n\u003e cmd.exe /C wbadmin delete catalog -quiet \u0026\u0026 vssadmin.exe delete shadows /all /quiet \u0026\u0026 bcdedit.exe\r\n/set {current} nx AlwaysOff \u0026\u0026 wmic SHADOWCOPY DELETE\r\nAt this stage, the ransomware changes the desktop and displays the README file. The file contains a message\r\nsaying that the threat actors had stolen information from the system and encrypted the files, urging the user to\r\nmake contact within 48 hours.\r\nThreat actor’s email address: venusdata@onionmail.org\r\nhttps://asec.ahnlab.com/en/54937/\r\nPage 4 of 7\n\n4. Conclusion\r\nAttackers have continuously been using RDP from the past in the initial compromise and lateral movement\r\nprocesses. These attacks usually occur through brute force and dictionary attacks against systems with\r\ninappropriate account credentials. In particular, many ransomware operators use RDP as their main initial attack\r\nvector besides the Crysis threat actors in this Venus ransomware incident.\r\nUsers can deactivate RDP when not in use to decrease the number of attack attempts. If RDP is being used, it is\r\nadvised to use a complex account password and to change it periodically to prevent brute force and dictionary\r\nattacks. Also, V3 should be updated to the latest version so that malware infection can be prevented.\r\nFile Detection\r\n– Trojan/Win32.Crysis.R213980 (2018.11.23.00)\r\n– HackTool/Win.PassViewer.C5353353 (2023.01.08.03)\r\n– Ransomware/Win.Venus.C5220541 (2023.02.20.03)\r\n– Trojan/Win64.Mimikatz.R348743 (2020.08.20.07)\r\nhttps://asec.ahnlab.com/en/54937/\r\nPage 5 of 7\n\n– Trojan/Win32.RL_Mimikatz.R281240 (2019.07.14.00)\r\n– Trojan/Win32.RL_Mimikatz.R364133 (2021.01.25.01)\r\n– Trojan/Win.Mimikatz.R428853 (2021.07.02.01)\r\n– HackTool/Win.Mailpassview.C5353346 (2023.01.08.03)\r\n– HackTool/Win.PassViewer.C5353355 (2023.01.08.03)\r\n– HackTool/Win64.WirelessKeyView.C3697346 (2020.05.21.06)\r\n– HackTool/Win.PassViewer.C5353358 (2023.01.08.03)\r\n– Unwanted/Win32.Agent.R266440 (2019.04.23.00)\r\n– HackTool/Win.PSWTool.R345815 (2022.09.02.00)\r\n– HackTool/Win.PassViewer.C5353351 (2023.01.08.03)\r\n– Unwanted/Win32.HackTool.C613821 (2014.11.01.00)\r\n– Unwanted/Win32.Passview.C568442 (2014.09.23.00)\r\nBehavior Detection\r\n– Ransom/MDP.Decoy.M1171\r\n– Ransom/MDP.Command.M2255\r\n– Ransom/MDP.Event.M1785\r\nMD5\r\n2a541cb2c47e26791bca8f7ef337fe38\r\n3684fe7a1cfe5285f3f71d4ba84ffab2\r\n3a302cd820b1535ccc6545542bf987d1\r\n44bd492dfb54107ebfe063fcbfbddff5\r\n4984b907639851dfa8409e60c838e885\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/54937/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/54937/\r\nhttps://asec.ahnlab.com/en/54937/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/54937/"
	],
	"report_names": [
		"54937"
	],
	"threat_actors": [],
	"ts_created_at": 1775441481,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16da789d6a5437af128d180872ed3873ce39363e.pdf",
		"text": "https://archive.orkl.eu/16da789d6a5437af128d180872ed3873ce39363e.txt",
		"img": "https://archive.orkl.eu/16da789d6a5437af128d180872ed3873ce39363e.jpg"
	}
}